Rootkits – Avoiding detection Tillmann Werner, Seminar Computer Security, B-IT 2006-11-27.

Slides:



Advertisements
Similar presentations
Operating System Structures
Advertisements

Operating Systems Manage system resources –CPU scheduling –Process management –Memory management –Input/Output device management –Storage device management.
Operating System Security : David Phillips A Study of Windows Rootkits.
Chapter 6 Security Kernels.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Windows Rootkits – Userland API Hooking Robert Vinson – IT Security Analyst – University of Iowa 09/06/06.
ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.
Students: Jacek Czeszewski and Marcos Verdini Rosa Professor: José Manuel Magalhães Cruz.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )
Windows Security and Rootkits Mike Willard January 2007.
Memory Management (II)
Chapter 2: Operating-System Structures
Home: Phones OFF Please Unix Kernel Parminder Singh Kang Home:
Cs238 Lecture 3 Operating System Structures Dr. Alan R. Davis.
ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Chapter 2: Operating-System Structures Modified from the text book.
Copyright Arshi Khan1 System Programming Instructor Arshi Khan.
Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access memory.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.
An Introduction to Operating Systems. Definition  An Operating System, or OS, is low-level software that enables a user and higher-level application.
Chapter 3.1:Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access.
1 Chapter Client-Server Interaction. 2 Functionality  Transport layer and layers below  Basic communication  Reliability  Application layer.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 2: System Structures.
Protection and the Kernel: Mode, Space, and Context.
Chapter 6 Operating System Support. This chapter describes how middleware is supported by the operating system facilities at the nodes of a distributed.
Rootkits. EC-Council The Problem  Microsoft Corp. security researchers are warning about a new generation of powerful system-monitoring programs, or.
Vijay Krishnan Avinesh Dupat. A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators.
Chapter 2: Operating-System Structures. 2.2 Silberschatz, Galvin and Gagne ©2005 Operating System Concepts – 7 th Edition, Jan 14, 2005 Operating System.
OS provide a user-friendly environment and manage resources of the computer system. Operating systems manage: –Processes –Memory –Storage –I/O subsystem.
CIS 450 – Network Security Chapter 16 – Covering the Tracks.
Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.
Rootkits in Windows XP  What they are and how they work.
Chapter 2: Operating-System Structures. 2.2 Silberschatz, Galvin and Gagne ©2005 Operating System Concepts Chapter 2: Operating-System Structures Operating.
Monnappa KA  Info Security Cisco  Member of SecurityXploded  Reverse Engineering, Malware Analysis, Memory Forensics 
Windows XP. History Windows XP is based on the NT kernel developed in 1988 Windows XP is based on the NT kernel developed in 1988 XP was originally sold.
Copyright © George Coulouris, Jean Dollimore, Tim Kindberg This material is made available for private study and for direct.
Mathieu Castets October 17th,  What is a rootkit?  History  Uses  Types  Detection  Removal  References 2/11.
Operating Systems David Goldschmidt, Ph.D. Computer Science The College of Saint Rose CIS 432.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
CE Operating Systems Lecture 3 Overview of OS functions and structure.
Operating Systems Lecture November 2015© Copyright Virtual University of Pakistan 2 Agenda for Today Review of previous lecture Hardware (I/O, memory,
Hidden Processes: The Implication for Intrusion Detection
Processes Introduction to Operating Systems: Module 3.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )
UNIX Unit 1- Architecture of Unix - By Pratima.
A. Frank - P. Weisberg Operating Systems Structure of Operating Systems.
Rootkits, Backdoors, and Trojans ECE 4112 – Lab 5 Summary – Spring 2006 Group 9 Greg Sheridan Terry Harvey Group 10 Matthew Bowman Laura Silaghi Michael.
Efficient Software Based Fault Isolation Author: Robert Wahobe,Steven Lucco,Thomas E Anderson, Susan L Graham Presenter: Maitree kanungo Date:02/17/2010.
CSC414 “Introduction to UNIX/ Linux” Lecture 2. Schedule 1. Introduction to Unix/ Linux 2. Kernel Structure and Device Drivers. 3. System and Storage.
CCNA2 Chapter 2 Cisco IOS Software. Cisco’s operating system is called Cisco Internetwork Operating System (IOS) IOS provides the following network services:
Hardware process When the computer is powered up, it begins to execute fetch-execute cycle for the program that is stored in memory at the boot strap entry.
Chapter 1 Basic Concepts of Operating Systems Introduction Software A program is a sequence of instructions that enables the computer to carry.
Lecture 7 Rootkits Hoglund/Butler (Chapter 5-6). Avoiding detection Two ways rootkits can avoid detection –Modify execution path of operating system to.
Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).
1 Chapter 2: Operating-System Structures Services Interface provided to users & programmers –System calls (programmer access) –User level access to system.
Introduction to Operating Systems Concepts
Computer System Structures
CASE STUDY 1: Linux and Android
Hidden Processes: The Implication for Intrusion Detection
Chapter 2: System Structures
Chapter 2: The Linux System Part 1
CS-3013 Operating Systems Hugh C. Lauer
Basic Concepts Protection: Security:
Implementing an OpenFlow Switch on the NetFPGA platform
Lecture Topics: 11/1 General Operating System Concepts Processes
Operating Systems Lecture 3.
CSE 451: Operating Systems Autumn Module 24 Virtual Machine Monitors
Outline Operating System Organization Operating System Examples
Preventing Privilege Escalation
CSE 451: Operating Systems Autumn Module 24 Virtual Machine Monitors
Presentation transcript:

Rootkits – Avoiding detection Tillmann Werner, Seminar Computer Security, B-IT

© Tillmann Werner, University of Bonn Rootkits - Staying Stealth. Silde No. 2 Agenda Motivation and definition, short history of rootkits Entering the kernel: Hiding and starting Operating system internals: How things get executed Modern rootkit techniques Covert channels for stealth communication Countermeasures against rootkits

© Tillmann Werner, University of Bonn Rootkits - Staying Stealth. Silde No. 3 Motivation Hackers want to keep access to a successfully compromized box. At the same time, they want to remain undetected and thus need to hide their presence and traces. Using conventional ways to remotely access a hacked box is often much too noisy. Once a system is under control, an intruder normally wants to install his own invisible backdoor. All hacker activities and data related to those activities shall be invisible to legitimate users. Any permanent trace should be avoided, if possible.

© Tillmann Werner, University of Bonn Rootkits - Staying Stealth. Silde No. 4 Definition „A rootkit is a set of programs and code that allows a permanent or consistent, undetectable presence on a computer.“ Source: G.Hoglund, J. Butler: „Rootkits“, ISBN „A rootkit is a set of software tools intended to conceal running processes, files or system data from the operating system.“ Source: Wikipedia Encyclopedia,

© Tillmann Werner, University of Bonn Rootkits - Staying Stealth. Silde No. 5 Privileged access and stealth In a nutshell: It‘s all about permanent access and stealth. Once a hacker has administrative privileges, assuring permanent access is only a matter of her creativity. This presentation focusses on how to stay stealthy. Filtering I/O between two layers could conceal the presence of a rootkit. Operating System Hardware User Program

© Tillmann Werner, University of Bonn Rootkits - Staying Stealth. Silde No. 6 From early rootkits… First rootkits came up in the late eighties. They were written for UNIX-like operating systems (Windows was not yet around). Early versions consisted of a bunch of modified programs that replaced the original instances on a compromized box. Typical candidates are programs that are used to examine the current system status, like ls, ps, who, netstat, etc. Also, the login program was often modified to accept login attempts for a specially crafted user. Invoked by telnet, it enabled attackers to come back at any time they wanted.

© Tillmann Werner, University of Bonn Rootkits - Staying Stealth. Silde No. 7 … to modern rootkits The early rootkits were easily detectable: modified binaries differ in size or cryptographic hashes from the original versions. There are 1001 ways to explore the system status – one could even write own programs. Comparing their results reveals the presence of rootkit binaries. Modern rootkits step into a lower layer, the kernel. If they run in kernel mode, any userland program is under their control as well. User input to a program and its output can then already be filtered on the kernel level. Patching binaries is not necessary at all.

© Tillmann Werner, University of Bonn Rootkits - Staying Stealth. Silde No. 8 A rootkit design example Usermode Program Kernel Driver Keyboard Sniffer Packet Sniffer Main OS Kernel Modifications Stealth Protection User SpaceKernel Space TCP port for remote control

© Tillmann Werner, University of Bonn Rootkits - Staying Stealth. Silde No. 9 Entering the kernel: Hiding rootkit resources A common approach for hiding a rootkit is prefix-based filtering: A resource whose name matches a given prefix is considered to belong to the rootkit and is lurked to other programs. Such a prefix can be prepended to file names, directory names or program names (which are inherited by corresponding processes). A similar method allows for hiding network traffic from other processes. Relevant packets are equipped with a magic value in their payload. This simple technique enables an attacker to hide most of his activities quite successful.

© Tillmann Werner, University of Bonn Rootkits - Staying Stealth. Silde No. 10 Entering the kernel: Starting a rootkit A common technique is to implement the rootkit as kernel module or driver that can be loaded during runtime. Modification of a present driver is also possible. The kernel code itself can be altered to start a rootkit. Both the on-disk image and the running kernel must be changed (e.g. by altering /dev/kmem on Linux). A rootkit program can also get hooked into the system to load automatically during operating system startup, e.g. by patching /sbin/init or by using.ini files. The boot loader can be modified to apply patches to the kernel just before the start phase.

© Tillmann Werner, University of Bonn Rootkits - Staying Stealth. Silde No. 11 i386 architecture The i386 architecture provides four different protection domains in hierarchical order, so called „rings“. This allows for enforcing a security model on the hardware layer. Most operating systems only use the rings 0 and 3 for compatibility reasons. Ring 0 is also known als „protected mode“ oder „kernel mode“. On modern operating systems only the kernel is allowed to enter it. Ring 3 is generally called „user mode“ and is used to execute code in an unprivileged level, i.e. with memory protection

© Tillmann Werner, University of Bonn Rootkits - Staying Stealth. Silde No. 12 Entering ring 0 So, how can a program execute privileged instructions? The operating system provides system calls to a userland process. Common examples are functions like read(), write(), or open(). System calls are not used directly. Instead, they are encapsulated in libraries that can be used in high level languages. Examples are the libc or glibc on UNIX-like systems. Some platforms, like Microsoft Windows, do not want a program to use the low-level libraries directly. They provide API functions that simplify common programming tasks, like controlling a GUI.

© Tillmann Werner, University of Bonn Rootkits - Staying Stealth. Silde No. 13 Program User Space Kernel Space System Call TableInterrupt Descriptor Table : flow of execution : memory pointer Import Address Table Operating system internals – how things get executed

© Tillmann Werner, University of Bonn Rootkits - Staying Stealth. Silde No. 14 Program User Space Kernel Space System Call TableInterrupt Descriptor Table : flow of execution : memory pointer Import Address Table API Function Library Function Operating system internals – how things get executed

© Tillmann Werner, University of Bonn Rootkits - Staying Stealth. Silde No. 15 Program Choose IH from IDT User Space Kernel Space System Call TableInterrupt Descriptor Table : flow of execution : memory pointer Import Address Table API Function Library Function Operating system internals – how things get executed

© Tillmann Werner, University of Bonn Rootkits - Staying Stealth. Silde No. 16 Program Choose IH from IDT Choose Syscall from SCT User Space Kernel Space System Call TableInterrupt Descriptor Table : flow of execution : memory pointer Import Address Table API Function Library Function Operating system internals – how things get executed

© Tillmann Werner, University of Bonn Rootkits - Staying Stealth. Silde No. 17 Program Choose IH from IDT Choose Syscall from SCT System Call User Space Kernel Space System Call TableInterrupt Descriptor Table : flow of execution : memory pointer Import Address Table API Function Library Function Operating system internals – how things get executed

© Tillmann Werner, University of Bonn Rootkits - Staying Stealth. Silde No. 18 Operating system internals – how things get executed Program Choose IH from IDT Choose Syscall from SCT System Call User Space Kernel Space System Call TableInterrupt Descriptor Table : flow of execution : memory pointer Return Import Address Table API Function Library Function

© Tillmann Werner, University of Bonn Rootkits - Staying Stealth. Silde No. 19 Possible locations for intervention Program Choose IH from IDT Choose Syscall from SCT System Call User Space Kernel Space System Call TableInterrupt Descriptor Table Return API Function Library Function Import Address Table

© Tillmann Werner, University of Bonn Rootkits - Staying Stealth. Silde No. 20 On Windows platforms, the import address table (IAT) of a program contains pointers to API or library functions. A rootkit can modify the table to make a pointer reference a modified function. This function at first execute hostile instructions and then eventually calls the original API function if revelation is not feared. But: Every application has ist own import address table and the rootkit has to place a DLL with its wrapper functions in the filesystem. IAT Hooking Program API Function Import Address Table Rootkit Function 1

© Tillmann Werner, University of Bonn Rootkits - Staying Stealth. Silde No. 21 Specially crafted system calls affect all calling programs. The system call could check given arguments in order to decide how to operate. If a detection of the rootkit is feared, an alternative routine is executed that returns a different, harmless value. Modification of system call code requires runtime kernel patching on multiple locations. This is dangerous as one single error could crash the operating system. Modifying System Calls 2 Return ? Patched Syscall

© Tillmann Werner, University of Bonn Rootkits - Staying Stealth. Silde No. 22 Altering the system call table is the most common rootkit technique. Some system calls are replaced with modified versions by changing the corresponding pointers in the syscall table. A rootkit system call can behave different depending on the calling process, e.g. an open() fails if the argument is a rootkit resource. Problem: System call tables are backed up multiple times. Integrity checks could easily reveal a rootkit‘s presence. System Call Table Hooking Choose Syscall from SCT System Call 3 System Call Table ? System Call Rootkit Function

© Tillmann Werner, University of Bonn Rootkits - Staying Stealth. Silde No. 23 Altering the System Call Selector 4 Choose Syscall from SCT System Call TableRootkit System Call Table Instead of altering the syscall table, use your own! The kernel must know where to find the rootkit‘s syscall table. This can easily be done by changing the code of the system call chooser routine such that it consults the rootkit‘s table instead of the original one. But again, altering kernel functions during runtime would be necessary.

© Tillmann Werner, University of Bonn Rootkits - Staying Stealth. Silde No. 24 The pointer to the syscall selector code in the IDT can be changed to point to a modified instance. This function basically behaves like the original syscall selector but uses a modified instance of the system call table which references certain hostile syscalls. Modification of the original system call selector is not necessary. In theory, one could even go further and use an alternative IDT. The address in the Interrupt Descriptor Table Register (IDTR) must then be set to the location of the rootkit table. Interrupt Descriptor Table Hooking Choose IH from IDT Syscall Selector Rootkit Syscall Selector Interrupt Descriptor Table 5

© Tillmann Werner, University of Bonn Rootkits - Staying Stealth. Silde No. 25 … and without execution flow modification? Hiding processes is also possible: Unlinking a rootkit from lists used by the kernel to manage active processes can fool tools like ps or top. Files can be camouflaged by placing data in the file system‘s slack space. While this is not totally safe, studies show that chances are good for such data to survive a very long time. 6 File System Rootkit Process

© Tillmann Werner, University of Bonn Rootkits - Staying Stealth. Silde No. 26 Stealth communication: Covert channels (1) A rootkit is only of value if it allows remote access. To hide remote logins, covert channels are used. This method abuses another legitimate communication channel in order to transmit commands and their responses by manipulating certain properties. Timing channels use the relative timing of events to code information. Storage channels code information into existing data. The information transmitted via a covert channel can also be cryptographically encoded or obfuscated using steganography.

© Tillmann Werner, University of Bonn Rootkits - Staying Stealth. Silde No. 27 Information can be stored in the identification field of IP packets. DNS queries can also contain information that can be interpreted differently. The protocol does not even require a direct connection. Timing channels can be formed by representing bits by the duration of a session, the interval between two arriving packets, … Information theory teaches that the possibility of covert channels cannot be completely eliminated. However, a statistical analysis leads to detection in many cases. Stealth communication: Covert channels (2)

© Tillmann Werner, University of Bonn Rootkits - Staying Stealth. Silde No. 28 Countermeasures against Rootkits Mandatory access control can be implemented to reduce the danger of a system level compromize. Anti rootkits can control kernel data and the execution flow process themselves. Regular checks could detect modifications. Host-based intrusion detection and prevention systems can check system integrity by maintaining a list of cryptographic hashes for important resources. Integrity checks are only trusted when executed offline, that means from a trusted media while the suspect system is not running.

© Tillmann Werner, University of Bonn Rootkits - Staying Stealth. Silde No. 29 The Future of Rootkits Operating systems like Windows Vista and up-to-date Linux versions make use ring -1 on modern hardware to implement virtualization. A recent area of research is the development of so-called virtual machine based rootkits. The projects Blue Pill and SubVirt published working proof-of-concept methods that move a running operating system into a virtual environment. This environment is controlled from the outside. Hence, it is impossible to detect the rootkit from within the compromized operating system instance.

© Tillmann Werner, University of Bonn Rootkits - Staying Stealth. Silde No. 30 References Greg Hoglund, James Butler, Rootkits – Subverting the Windows Kernel Addison-Wesley, 2006, ISBN Andreas Bunten, Rootkits – Techniken und Abwehr, Proceedings of 10. DFN-CERT/PCA-Workshop, 2003, ISBN X Andrew S. Tanenbaum, Modern Operating Systems, Second Edition,Prentice Hall, 2001, ISBN Daniel P. Bovet, Marco Cesati, Understanding the Linux Kernel, O'Reilly, 2002, ISBN Greg Hoglund, A *REAL* NT Rootkit, patching the NT Kernel, Phrack 55-05, 1999 Black Tie Affair, Hiding out under Unix, Phrack 25-06, 1989 Halflife, Abuse of the Linux Kernel for Fun and Profit, Phrack 50-05, 1997 Invisible Things, Rootkit – Share your old stuff, keep your good stuff, US DoD, Covert Channel Analysis of Trusted Systems (Light Pink Book), Rainbow Series, 1993 Craig H. Rowland, Covert Channels in the TCP/IP protocol suite, 1997, First Monday 05/97

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.